If you’ve ever had a site hacked it’s really a pain in the ass. Back in 2019, hackers got access to the root directory of my shared hosting server. All hell broke loose over the course of a few days.
Years before that, while I was a full-time employee at Dell, they postered over a client site I had been managing on the side. That was completely different and terrifying. That was an old-fashioned hack. Today, they (the hackers) are much more persistent and good at hacking and cracking site codes and security plugins. And just today, I figured out one last tidbit of data that had eluded me on my current site, this one.
First Question: How are they getting in?
I use a series of security plugins on my WordPress site, but the hacking mob was still trying to login 24/7. I’m assuming it was bots, scripts. Heck, probably AI is being trained in Iran for nefarious purposes. Anyway, I was confused by all the blocked login attempts in my WordFence log files.
First Attempt: Hide the wp-admin URL.
Okay, so I added a plugin to obscure the normal WP login. Didn’t even slow them down.
Fuck.
Second Question: If I’m hiding the login how are they finding it again so quickly?
I looked into more WordFence settings. I scrubbed my site for malicious code. (There was none.) And I started randomly changing the obscured login URL. Didn’t help. I did some research and found out that there’s a little thing, XML-RPC, and this process was being “pinged” or used to get a response out of WordPress to give them the new URL. I disabled XML-RPC and the login attempts went cold.
Okay, so that should’ve been enough. But there was another point that was bugging me about uber.la in general. How was my site still generating 200 visits a day when the old login URL was now hidden?
How was I getting hundreds of visitors a day, while only 1 click was registered from 150 Google Search results over the last 28 days?
Third Question: How am I getting so much traffic even after I’ve killed the login snipers?
This one took a bit more human cognition. I began making a few changes in my WordPress settings and WordFence settings to see if I could find the answer.
What I did next answered the mystery. I made that change three day ago, however, and the traffic was still oddly high. Today, I was chatting with my son, the coder, about my site and my analytics. I was telling him about my most popular posts. And this screengrab, I shared with him. unlocked my human cognition.
Here’s the screenshot of GA of this site.
Okay, so #7 is an obvious issue. Bots, hackers, and spiders are trying to find pages that no longer exist. But the big reveal is line 2.
sitemap-2
In my sleuthing and poking around, I set up a redirect for browsers that tried to reach /wp-admin/ the no-longer-valid admin page of WordPress. That redirect, rather than taking them to a fk you page, just redirects them to the sitemap-2 page. Duh.
The Answer: The bots are still swarming a site they cracked years ago. And when they try to log in with the normal admin page they are taken to sitemap 2.
Ta-da.
So, I’m guessing that we’ve got a lot of work to do if we’re going to rez uber.la from the grave. We’ve got to find and build some SEO traction. Determine what the point of the site is, besides my rants. Then, perhaps we will earn the traffic.
John McElhenney — let’s connect online
Facebook & LinkedIn & The Whole Parent
Additional GoogleFu Posts:
- Why We Hate Spotify
- Social Media, Yeah… What Else You Got?
- Deleting Twitter – After Writing the Book on Why Twitter *Was* Great
Please check out a few of my books on AMAZON.
